You need to install at least one RAS Secure Gateway for Parallels RAS to work. You can add additional Gateways to a RAS Site to support more users, load-balance connections, and provide redundancy.
Installing a RAS Secure Gateway on a dedicated server
If you are installing a RAS Secure Gateway on a dedicated server, you can also install the Parallels RAS console on the same server. The console will have limited functionality but will allow you to perform some important management operations on the Gateway, including:
- Setting the Gateway operation mode (normal or forwarding, see below for details).
- Assigning a RAS Connection Broker that will manage the Gateway.
- Setting the Gateway communication port.
- Viewing the Gateway information, such as host OS version, Parallels RAS version, available IP addresses, and other.
The RAS Console in such an installation scenario (when connected to the local computer, not the RAS Farm) will only have two categories that you can select in the left pane: Gateway and Information. To manage the Gateway settings, select Gateway and then click Change Ownership in the right pane. To view the information select the Information category.
When the RAS console is connected to a Parallels RAS Farm (i.e. the server where RAS Connection Broker is running), you can manage RAS Secure Gateways by navigating to Farm > <Site> > Secure Gateways.
How a RAS Secure Gateway works
The following describes how a RAS Secure Gateway handles user connection requests:
- A RAS Secure Gateway receives a user connection request.
- It then forwards the request to the RAS Connection Broker with which it's registered (the Preferred Connection Broker setting by default).
- The RAS Connection Broker performs load balancing checks and the Active Directory security lookup to obtain security permissions.
- If the user requesting a published resource has sufficient rights, the RAS Connection Broker sends a response to the gateway which includes details about the RD Session Host the user can connect to.
- Depending on the connection mode, the client either connects through the gateway or disconnects from it and then connects directly to the RD Session Host server.
RAS Secure Gateway operation modes
RAS Secure Gateway can operate in one of the following modes:
- Normal Mode. A RAS Secure Gateway in normal mode receives user connection requests and checks with the RAS Connection Broker if the user making the request is allowed access. Gateways operating in this mode can support a larger number of requests and can be used to improve redundancy.
- Forwarding Mode. A RAS Secure Gateway in forwarding mode forwards user connection requests to a preconfigured gateway. Gateways in forwarding mode are useful if cascading firewalls are in use, to separate WAN connections from LAN connections and make it possible to disconnect WAN segments in the event of issues without disrupting the LAN.
Planning for high availability
When adding RAS Secure Gateways to a Site, the N+1 redundancy should be configured to ensure uninterrupted service to your users. This is a general rule that also applies to other Parallels RAS components, such as Connection Brokers or RD Sessions Hosts.